diff --git a/TODO.md b/TODO.md index 9cdd777..21b7abd 100644 --- a/TODO.md +++ b/TODO.md @@ -1,7 +1,6 @@ # TODO * aquatic_udp glommio - * privdrop * disable by default! * access lists: diff --git a/aquatic_udp/src/lib/glommio/mod.rs b/aquatic_udp/src/lib/glommio/mod.rs index 636f5bf..d95121f 100644 --- a/aquatic_udp/src/lib/glommio/mod.rs +++ b/aquatic_udp/src/lib/glommio/mod.rs @@ -5,6 +5,7 @@ use glommio::channels::channel_mesh::MeshBuilder; use glommio::prelude::*; use crate::config::Config; +use crate::drop_privileges_after_socket_binding; mod common; pub mod handlers; @@ -87,6 +88,8 @@ pub fn run(config: Config) -> anyhow::Result<()> { executors.push(executor); } + drop_privileges_after_socket_binding(&config, num_bound_sockets).unwrap(); + for executor in executors { executor .expect("failed to spawn local executor") diff --git a/aquatic_udp/src/lib/lib.rs b/aquatic_udp/src/lib/lib.rs index 187d563..8e8cc4d 100644 --- a/aquatic_udp/src/lib/lib.rs +++ b/aquatic_udp/src/lib/lib.rs @@ -1,3 +1,11 @@ +use std::{ + sync::{ + atomic::{AtomicUsize, Ordering}, + Arc, + }, + time::Duration, +}; + use cfg_if::cfg_if; pub mod common; @@ -7,6 +15,7 @@ pub mod glommio; pub mod mio; use config::Config; +use privdrop::PrivDrop; pub const APP_NAME: &str = "aquatic_udp: UDP BitTorrent tracker"; @@ -19,3 +28,35 @@ pub fn run(config: Config) -> ::anyhow::Result<()> { } } } + +fn drop_privileges_after_socket_binding( + config: &Config, + num_bound_sockets: Arc, +) -> anyhow::Result<()> { + if config.privileges.drop_privileges { + let mut counter = 0usize; + + loop { + let sockets = num_bound_sockets.load(Ordering::SeqCst); + + if sockets == config.socket_workers { + PrivDrop::default() + .chroot(config.privileges.chroot_path.clone()) + .user(config.privileges.user.clone()) + .apply()?; + + break; + } + + ::std::thread::sleep(Duration::from_millis(10)); + + counter += 1; + + if counter == 500 { + panic!("Sockets didn't bind in time for privilege drop."); + } + } + } + + Ok(()) +} diff --git a/aquatic_udp/src/lib/mio/mod.rs b/aquatic_udp/src/lib/mio/mod.rs index abda9c9..5c5f649 100644 --- a/aquatic_udp/src/lib/mio/mod.rs +++ b/aquatic_udp/src/lib/mio/mod.rs @@ -2,15 +2,11 @@ use std::thread::Builder; use std::time::Duration; use std::{ ops::Deref, - sync::{ - atomic::{AtomicUsize, Ordering}, - Arc, - }, + sync::{atomic::AtomicUsize, Arc}, }; use anyhow::Context; use crossbeam_channel::unbounded; -use privdrop::PrivDrop; pub mod common; pub mod handlers; @@ -20,6 +16,7 @@ pub mod tasks; use aquatic_common::access_list::{AccessListArcSwap, AccessListMode, AccessListQuery}; use crate::config::Config; +use crate::drop_privileges_after_socket_binding; use common::State; @@ -38,30 +35,7 @@ pub fn run(config: Config) -> ::anyhow::Result<()> { start_workers(config.clone(), state.clone(), num_bound_sockets.clone())?; - if config.privileges.drop_privileges { - let mut counter = 0usize; - - loop { - let sockets = num_bound_sockets.load(Ordering::SeqCst); - - if sockets == config.socket_workers { - PrivDrop::default() - .chroot(config.privileges.chroot_path.clone()) - .user(config.privileges.user.clone()) - .apply()?; - - break; - } - - ::std::thread::sleep(Duration::from_millis(10)); - - counter += 1; - - if counter == 500 { - panic!("Sockets didn't bind in time for privilege drop."); - } - } - } + drop_privileges_after_socket_binding(&config, num_bound_sockets).unwrap(); loop { ::std::thread::sleep(Duration::from_secs(config.cleaning.interval));